Can we or good to install Ap Struts patches even if we don't run Ap Struts

Q1:
Will the patches install even if we don't use Apache Struts?

Q2:
Is it good practice to install Apache Struts patches even if we don't use
Ap Str?  Perhaps in future someone may install Ap Struts & the IT
Security team doesn't realize it

Q3:
What are the common products that use Ap Str?  IBM Websphere,
Ap webserver?
sunhuxAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
1. It is applicable only if OS has the Apache Strut framework. To patch is to upgrade and it will check for the framework existence otherwise it cannot even install the JAR - see the list of vulnerability bulletin and each will tell you the changes needed
https://struts.apache.org/docs/security-bulletins.html

2. Yes and No. Latest will have improvement and you can check the note release. However, it may break the Jave EE application so always test it out before making any changes and migration patches. But for security bulletin, the advice is always to patch to latest otherwise you are vulnerable and likewise will fail any audit scan. Not knowing is not an excuse hence it is more of asset discovery of the application, it is more of a SOP to be put in place for oversight control.

3. Maven, Content mgmt system like LifeRay (can search for openCMS list for any "struts" https://java-source.net/open-source/content-managment-systems), and those that uses its plugin like opensymphony.xwork2, or SiteMesh
https://struts.apache.org/docs/plugins.html
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
gheistCommented:
A1: if you have struts included with application server - patch iit
A2: YES, remove or patch is moto of today...
A3: Java web applications running on e.g. products you mention use it.
Extending - anybody can include old struts in web application. You (or your security office) need to review those in addition to patching component IF included with server.
0
masnrockCommented:
1) Yes. The question is whether you have it installed, not whether you actually utilize it. The main thing that's getting patched is a feature that doesn't even have to be in use.
2) If Struts is installed, it's best to patch it. But if there is no reason for Struts to be installed (it's not required for functionality of any sort and nothing else is dependent on it), there's no point in having it installed.
3) The better question is what applications you have in place and utilize. Then it's easier to work backwards to find what actually uses struts. You may have an in house custom Java app that uses struts, but nothing off the shelf. Not the easiest for us to answer for you.
0
10 Tips to Protect Your Business from Ransomware

Did you know that ransomware is the most widespread, destructive malware in the world today? It accounts for 39% of all security breaches, with ransomware gangsters projected to make $11.5B in profits from online extortion by 2019.

gheistCommented:
0) some web application templates and sample maven workflows will pull struts even without making a single call to it...
0
btanExec ConsultantCommented:
Sound obvious but though still need to mentioned. if still using struts 1, you should still upgrade even though not affected by this recent strut 2 vulnerabilities. Some listing of struts vulnerabilities https://www.cvedetails.com/vulnerability-list/vendor_id-45/product_id-6117/Apache-Struts.html
1
sunhuxAuthor Commented:
If I'm not mistaken, from the link of the vulnerability, we're asked to install a newer
release (sort of sub-version) & it's not a patch : if that's the case, then if we have no
Struts running/installed currently, the more we should not install it as we'll end up
having Struts installed (which we don't have in the first place) & this will open us
up to future Struts vulnerabilities.  

From past Apache Struts V2 vulnerabilities, is it usually patches or newer releases
that are provided to address the vulnerabilities?
0
btanExec ConsultantCommented:
It is common for fixes to be specific to vulnerability, security bullet for struts is all patches to newer minor version rather than a major version upgrade from 1 to 2 as example. To note, latest version is still advocated where possible esp for due to end of support or end of life reason usinf the older version.

There is online checker for this vulnerability, if not found, it may also mean that struts is not installed.

https://www.tinfoilsecurity.com/strutshock
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Security

From novice to tech pro — start learning today.